Gafgyt

Malware updated 4 days ago (2024-09-04T12:17:45.676Z)

Download STIX

Preview STIX

Gafgyt, also known as Bashlite, is a type of malware that targets Linux architecture operating systems with the primary intent to launch distributed denial of service (DDoS) attacks. This malicious software infiltrates systems often through suspicious downloads, emails, or websites, and upon entry, it can disrupt operations, steal personal information, or hold data for ransom. Gafgyt and similar botnets like Mirai predominantly dominate the IoT threat landscape, typically scanning IP addresses and domain names. They generate random IP addresses as scanning destinations and establish connections with command-and-control servers, awaiting instructions to launch coordinated attacks on targeted victims. In August 2023, a variant of the Gafgyt botnet actively attempted to exploit a vulnerability tracked as CVE-2017-18368, impacting the end-of-life Zyxel P660HN-T1A router. This variant of Gafgyt uses the vulnerability to expand DDoS attacks on Linux-based systems. By downloading and executing malicious scripts, it establishes connections with command-and-control servers, readying itself to launch coordinated assaults. Another Gafgyt variant, designed to create denial of service (DoS) in Linux architectures, has been observed attacking the TP-Link flaw by downloading and executing a script file, retrieving Linux architecture execution files with the prefix filename "rebirth," and then compiling compromised target IP and architecture information into its initial connection message. However, unpatched devices remain at risk as threat actors continue to dispatch various botnets, including Moobot, Miori, AGoent, Gafgyt variants, and infamous Mirai botnet variants, which can compromise the devices for further nefarious activity such as DDoS attacks. Researchers from Fortiguard Labs Threat Research and ThreatLabz have noted multiple attacks focusing on this vulnerability, with the notorious Mirai and Gafgyt malware families driving the majority of these attacks. These botnets are known for turning devices into zombie-like members of their network, used to perform coordinated attacks on a large scale.

Description last updated: 2024-09-04T12:15:38.248Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Mirai Botnet	3	The Mirai botnet is a type of malware, specifically designed to exploit and damage computer systems. It infiltrates these systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold yo
Bashlite	2	Bashlite, also known as Gafgyt, is a type of malware that specifically targets Linux architecture operating systems. This malicious software is designed to infiltrate your system through dubious downloads, emails, or websites and can cause significant damage without your knowledge. Once Bashlite has

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Vulnerability

Ddos

Botnet

Linux

Bot

Exploit

Denial of Se...

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

ID	Type	Votes	Profile Description
Mirai	is related to	8	Mirai is a type of malware that specifically targets Internet of Things (IoT) devices such as smart speakers, cameras, and connected home equipment. It exploits weak Telnet (port 23) and SSH (port 22) credentials to gain control over these devices. Once infected, these devices are then incorporated
Gafgyt Variant	Unspecified	3	The Gafgyt variant is a malicious software that poses a significant threat to computer systems and devices. This malware can infiltrate your system through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it has the potential to steal personal information,
Moobot	Unspecified	2	Moobot is a type of malware, or malicious software, designed to exploit and damage computer systems. It can infiltrate these systems via suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold dat
Mozi	Unspecified	2	Mozi is a type of malware, a malicious software designed to exploit and damage computer systems and devices. It typically infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt operations, or even

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

ID	Type	Votes	Profile Description
CVE-2023-1389	Unspecified	2	CVE-2023-1389 is a significant software vulnerability, specifically a command injection flaw, found in TP-Link Archer AX21 routers. The flaw was publicly released in March of this year and has since been exploited by malicious actors to gain unauthorized access to devices. Attack traffic through the

Source Document References

Information about the Gafgyt Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Securityaffairs	4 days ago	Zyxel fixed critical OS command injection flaw in multiple routers
BankInfoSecurity	5 months ago	Exploited TP-Link Vulnerability Spawns Botnet Threats
DARKReading	5 months ago	Various Botnets Pummel Year-Old TP-Link Flaw in IoT Attacks
Fortinet	5 months ago	Botnets Continue Exploiting CVE-2023-1389 for Wide-Scale Spread \| FortiGuard Labs
CERT-EU	8 months ago	Securing Public Sector Against IoT Malware in 2024 \| Zscaler
CERT-EU	8 months ago	Attackers Targeting Poorly Managed Linux SSH Servers
CERT-EU	a year ago	DDoS Malware Distributed Through Compromised Linux SSH Servers
CERT-EU	a year ago	Cybersecurity threatscape: year 2021 in review
SANS ISC	10 months ago	Routers Targeted for Gafgyt Botnet [Guest Diary] - SANS Internet Storm Center
Securityaffairs	10 months ago	Who is behind the Mozi Botnet kill switch?
Securityaffairs	a year ago	Gafgyt botnet is targeting EoL Zyxel routers
CERT-EU	10 months ago	IoT security threats highlight the need for zero trust principles - Help Net Security
MITRE	2 years ago	Xbash Combines Botnet, Ransomware, Coinmining in Worm that Targets Linux and Windows
BankInfoSecurity	10 months ago	Breach Roundup: Winter Vivern Hunting For Emails
Fortinet	2 years ago	2022 IoT Threat Review \| FortiGuard Labs
CERT-EU	a year ago	New Strain of Sotdas Malware Discovered \| Qualys Security Blog
CERT-EU	a year ago	Linux Servers Hacked to Launch DDoS Attacks and Mine Monero Cryptocurrency
CERT-EU	a year ago	Mirai Botnet’s New Wave: hailBot,kiraiBot, catDDoS, and Their Fierce Onslaught
MITRE	2 years ago	Chaos: a Stolen Backdoor Rising Again - GoSecure
Unit42	2 years ago	Realtek SDK Vulnerability Attacks Highlight IoT Supply Chain Threats